A Facebook bug let app developers see photographs users had uploaded, but never posted, the social network said.
For two weeks in September, an error in the way Facebook shares photographs with third parties meant that apps could see not only photos users had posted on their Newsfeed, but also pictures in other parts of the site — on Facebook Stories or Facebook’s Marketplace, for instance.
The bug also “impacted photos that people uploaded to Facebook, but chose not to post,” Facebook developer Tomer Bar said in a statement on Friday.
Importantly, the only applications that had access to the hidden photographs were those to which users had already granted access to all their public photos, through the company’s application programming interface, Bar said.
“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers,” Bar said.
Users affected are those who had given permission to third-party apps to access their photos through the Facebook log-in function. There is no evidence that the bug led to any large-scale extraction of photos from the site.
“We’re sorry this happened,” Bar added. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”
The error is comparatively minor given Facebook’s scale.
In September, almost five times as many accounts were affected by a data breach in which hackers accessed personal information, including name, relationship status, search activity and recent location check-ins.
“The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted ‘view as,’ a feature that lets people see what their own profile looks like to someone else,” Facebook vice president of product management Guy Rosen said at the time.
“It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he added.
The death of a former head of China’s one-child policy has been met not by tributes, but by castigation of the abandoned policy on social media this week. State media praised Peng Peiyun (彭珮雲), former head of China’s National Family Planning Commission from 1988 to 1998, as “an outstanding leader” in her work related to women and children. The reaction on Chinese social media to Peng’s death in Beijing on Sunday, just shy of her 96th birthday, was less positive. “Those children who were lost, naked, are waiting for you over there” in the afterlife, one person posted on China’s Sina Weibo platform. China’s
‘NO COUNTRY BUMPKIN’: The judge rejected arguments that former prime minister Najib Razak was an unwitting victim, saying Najib took steps to protect his position Imprisoned former Malaysian prime minister Najib Razak was yesterday convicted, following a corruption trial tied to multibillion-dollar looting of the 1Malaysia Development Berhad (1MDB) state investment fund. The nation’s high court found Najib, 72, guilty on four counts of abuse of power and 21 charges of money laundering related to more than US$700 million channeled into his personal bank accounts from the 1MDB fund. Najib denied any wrongdoing, and maintained the funds were a political donation from Saudi Arabia and that he had been misled by rogue financiers led by businessman Low Taek Jho. Low, thought to be the scandal’s mastermind, remains
Australian Prime Minister Anthony Albanese yesterday announced plans for a national bravery award to recognize civilians and first responders who confronted “the worst of evil” during an anti-Semitic terror attack that left 15 dead and has cast a heavy shadow over the nation’s holiday season. Albanese said he plans to establish a special honors system for those who placed themselves in harm’s way to help during the attack on a beachside Hanukkah celebration, like Ahmed al-Ahmed, a Syrian-Australian Muslim who disarmed one of the assailants before being wounded himself. Sajid Akram, who was killed by police during the Dec. 14 attack, and
VISHNU VANDALS: A Cambodian official accused Thailand of destroying a statue in a disputed border area, with video showing the Hindu structure being torn down The Thai military said ceasefire talks with Cambodia, set to begin yesterday, are expected to conclude with a meeting of the countries’ defense ministers on Saturday, as the two sides seek to end weeks of deadly clashes. The talks started at 4pm in Thailand’s Chanthaburi Province, which borders Cambodia. The Thai Ministry of Defense outlined several demands to be discussed ahead of the bilateral meeting of the General Border Committee (GBC) on Saturday. If secretariat-level discussions fail to reach agreement on key technical frameworks such as troop deployments, the Thai side would not proceed with the GBC meeting or sign any agreement on
RSS